wood burning stoves 2.0*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes http-method not specified Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "http-method not specified" Watch "http-method not specified" New topic
Author

http-method not specified

Kejal Shah
Ranch Hand

Joined: Jun 27, 2003
Posts: 87
Hi ranchers,
If you combine the errata of HFSJ book and the pages 634, 635, you'll end up confused.

Specific question is:
Wat wud happen if <http-method> element is not specified for a <url-pattern> in <web-resource-collection> of <security-constraint>

A. ALL http-methods are ALLOWED
B. ALL http-methods are CONSTRAINED

I think the answer shd be A. Please pour in your views


Kejal<br />SaneDevil@gmail.com
Kejal Shah
Ranch Hand

Joined: Jun 27, 2003
Posts: 87
Guys, any views on this one?
John Mallavalli
Ranch Hand

Joined: Apr 24, 2002
Posts: 46
Hi Kejal,
Even I think the answer should be A.
Cheers,
John


Do not let what you cannot do interfere with what you can do !!<br /> <br />SCJP & SCWCD 1.4
shiva viswanathan
Ranch Hand

Joined: Aug 12, 2004
Posts: 152
I think this will also depend on the role names specified under auth-constraint tag
Kejal Shah
Ranch Hand

Joined: Jun 27, 2003
Posts: 87
How?
shiva viswanathan
Ranch Hand

Joined: Aug 12, 2004
Posts: 152
if you specify http method as get and role as Admin in auth constraint
then this means that only Admin can use get method to access the resource

however all other methods are unconstrained and can be accessed by all
Kejal Shah
Ranch Hand

Joined: Jun 27, 2003
Posts: 87
wat you say is indeed true IF we specify any http-method. WAT IF we DON'T specify any http-method.
Bhumika Thakkar
Ranch Hand

Joined: Apr 18, 2005
Posts: 79
1) If http-method does not exist, then ALL methods are BLOCKED for ALL USERS
2) If <auth-constraint> does not exist, ALLOW ALL USERS w/o authentication
3) If <auth-constraint> exists but <role-name> does not exist then NO USERS ARE ALLOWED.

refer pg 636 HFS.


SCBCD (Preparing) <br />SCWCD, 82%<br />SCJP, 90%
Kejal Shah
Ranch Hand

Joined: Jun 27, 2003
Posts: 87
Yep, tat's wat my query was. If you mix the errata and page 636, we end up all confused. Here's the errata

{634} hand written comment at the bottom;
"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."
should be:
"If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are allowed."

and here's teh link for quick ref. http://www.oreilly.com/catalog/headservletsjsp/errata/headservletsjsp.confirmed

I think:
if NO http-method specified -> ALL ALLOWED. If we think, this makes sense. The security-constraint element mentions the http-methods to be "constrained". Also, if you mention only GET in http-method, its constrained, but others, POST, PUT... are allowed. Goin by the same logic, NO http-method would mean, ALLOW ALL methods.

I think i'll try and let you guys know.
Bhumika Thakkar
Ranch Hand

Joined: Apr 18, 2005
Posts: 79
"If no <http-method> element is present, then the constraint applies to all of the HTTP methods."
- SCWCD, Hanumant Deshmukh.
Kejal Shah
Ranch Hand

Joined: Jun 27, 2003
Posts: 87
Phew! finally, i manged to try this out on jsp-examples provided with Tomcat5 installation.

http-method auth-constraint result
---------------------------------------------------------------------
none none OK. no login asked
none blank 403 forbidden
none role-name tomcat valid login allowed
invalid login not allowed

GET none OK. no login asked
GET blank 403 forbidden
GET role-name tomcat valid login allowed
invalid login not allowed

Verdict:
no http-method specified, ALL allowed, and it really depends on the auth-constraint.
Leandro Melo
Ranch Hand

Joined: Mar 27, 2004
Posts: 401
Originally posted by Kejal Shah:

Verdict:
no http-method specified, ALL allowed, and it really depends on the auth-constraint.


Hi Kejal. Actually the spec says the opposite (p. 133 of 2.4 servlet spec)!
no http-method specified, ALL CONSTRAINED
Check out this thread (specially the last post).
http://www.coderanch.com/t/170057/java-Web-Component-SCWCD/certification/security-constraint
[ July 28, 2005: Message edited by: Leandro Melo ]

Leandro Melo
SCJP 1.4, SCWCD 1.4
 
Don't get me started about those stupid light bulbs.
 
subject: http-method not specified
 
Similar Threads
<security-constraint>
If http-method is not specified, then nobody can access the resource ?
http-method tag in security constraint
No- HTTP method element??
Doubt in the http-method